Hi Dmitri, Yes its solved now. It didn't work with single user mapping I had map all users as per the HOWTO and it worked. Initially I was trying with just one user mapped to ipa user which didn't worked.
Regards, Mohan > -----Original Message----- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Dmitri Pal > Sent: Thursday, October 03, 2013 10:06 PM > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication > required > > On 09/30/2013 10:59 PM, Mohan Cheema wrote: > >> -----Original Message----- > >> From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > >> boun...@redhat.com] On Behalf Of Sumit Bose > >> Sent: Monday, September 30, 2013 3:47 PM > >> To: freeipa-users@redhat.com > >> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication > >> required > >> > >> On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote: > >>> Hi, > >>> > >>> > >>> > >>> We are trying to authenticate from Windows machine and getting > below > >> error. > >>> > >>> > >>> -------------------- > >>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 > >> etypes {18 > >>> 17 23 3 1 24 -135}) 10.43.2.45: NEEDED_PREAUTH: u...@domain.com for > >>> krbtgt/domain....@domain.com, Additional pre-authentication > required > >> This is expected behaviour. The client will first send the AS-REQ > >> without any pre-authentication data. If the server requires > >> pre-authentication for this principal it will return this error to > the > >> client to indicate that pre-authentication is expected. > >>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 > >> etypes {18 > >>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes > >> {rep=18 > >>> tkt=18 ses=18}, u...@domain.com for krbtgt/domain....@domain.com > >> In the second AS-REQ the client has included some pre-authentication > >> data which is accepted by the KDC and a ticket is issued to the > client. > >> > >> HTH > >> > >> bye, > >> Sumit > >> > >>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): TGS_REQ (7 > >> etypes {18 > >>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes > >> {rep=18 > >>> tkt=23 ses=23}, u...@domain.com for host/av.domain....@domain.com > >>> -------------------- > >>> > >>> > >>> > >>> We followed the instruction to integrate windows for > authentication. > >>> > >>> > >>> > >>> Windows Client: Windows server 2008 R2 > >>> > >>> > >>> > >>> We are not able to figure out what the problem is. > >>> > >>> > >>> > >>> We are not using DNS server, instead we are using host file > entries. > >> DNS > >>> server setup is not an option for us right now. > >>> > >>> > >>> > >>> Same user can authenticate from Linux machine. > >>> > >>> > >>> > >>> Regards, > >>> > >>> > >>> > >>> Mohan Cheema > >>> > >>> > >>> > >>> _______________________________________________ > >>> Freeipa-users mailing list > >>> Freeipa-users@redhat.com > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users@redhat.com > >> https://www.redhat.com/mailman/listinfo/freeipa-users > > Thanks for the info Sumit. > > > > However, if ticket is issued user should be able to login to system. > Instead > > on Windows we are getting "user name or password is incorrect". Are > there > > any other setting that needs to be done so that user can login to > system. > > > This thread seems to have no follow up. > Was the problem solved? > AFAIR for Windows system to allow the authentication one really needs > to > map user to a local user. > There were some instructions in the HOWTO section of the IPA wiki. > Have you checked them? > > > > > Regards, > > > > Mohan > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users